1 |
On Tue, Jul 29, 2008 at 08:51:45PM +0100, Mike Auty wrote: |
2 |
> In this Glep (xx+1), in the section discussing the procedure for |
3 |
> creating a MetaManifest file, in step 3.3, does that include |
4 |
> verification of the manifest's signature if it has one? It would seem |
5 |
> odd to ignore the signature if it's wrong (I'm not sure about the case |
6 |
> if a signature isn't present). I also don't know how this would then be |
7 |
> handled (a complete abort, or ignoring the latest changeset to that |
8 |
> ebuild?). |
9 |
It doesn't care whatsoever about signatures inside Manifests. |
10 |
That's because there's no difference between a Manifest that isn't |
11 |
signed by a developer, and a Manifest that is developer-signed but any |
12 |
master signature on the developer has been revoked. |
13 |
It's also totally impossible to just block a changeset at the moment |
14 |
like that, even if we had Git. |
15 |
|
16 |
> If the signature check happened here, it could also allow for |
17 |
> enforcable revocation of developer certificates (once they're revoked, |
18 |
> any signed manifests will have the ebuild changes ignored). That may be |
19 |
> a lot of work and may take too long, but if not (and depending on our |
20 |
> users' trust needs), it might allow them just to check the |
21 |
> MetaManifest's signature, and not that of the individual packages. Does |
22 |
> that seems sensible? |
23 |
They don't need to check the signatures of the individual packages |
24 |
unless they are really paranoid anyway. You've missed one of the key |
25 |
points of MetaManifest: |
26 |
It defends ONLY the path from the Gentoo infrastructure to the users. |
27 |
|
28 |
P.S, you don't need to CC me. |
29 |
|
30 |
-- |
31 |
Robin Hugh Johnson |
32 |
Gentoo Linux Developer & Infra Guy |
33 |
E-Mail : robbat2@g.o |
34 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |